NSA Provides Guidance to Mitigate VPN Vulnerabilities to Hackers

In October 2020 and April 2021, the U.S. National Security Administration posted advisories regarding known vulnerabilities that Chinese and Russian hackers use to breach U.S. and other networks.

Our Observations:

  1. Many of the vulnerabilities are in Virtual Private Network (VPN) software solutions specifically designed to prevent hacking.
  2. It is interesting to note, that in light of the U.S. Administration’s newly announced sanctions against Russia, that China has exploited many more vulnerabilities than Russia, according to the U.S. National Security Administration’s published vulnerabilities list (see below).
  3. In healthcare, HIPAA Covered Entities should review the material and contact their vendors for additional guidance, yet, that may be inadequate.
    • For example, some of the vendors with impacted systems and vulnerabilities have opportunistically reported vulnerabilities in other vendors’ systems, but not in their own.
    • Specifically, Fortinet reports vulnerabilities that its “Lab” detects but has not reported a vulnerability in its own Fortinet FortiGate VPN.  As of April 15, 2021 there are no 2020 or 2021 updates on Fortinet’s searchable vulnerabilities list pertaining to its own FortiGate VPN. (See https://www.fortiguard.com/ )
  4. For the sectors of the healthcare industry that use or disclose protected health information (PHI) and who are HIPAA Covered Entities, there are specific Administrative Safeguards that are designed to encourage cyclical review and revision of policies to prevent against hacking and breaches of Protected Health Information (PHI).  See Administrative Safeguards in this article.

I. Administrative Safeguards (See §164.308(a)(1))

The first standard under Administrative Safeguards section is the Security Management Process. This standard requires covered entities to: “Implement policies and procedures to prevent, detect, contain and correct security violations.” The purpose of this standard is to establish the administrative processes and procedures that a covered entity will use to implement the security program in its environment.

There are four implementation specifications in the Security Management Process standard.  Here are the first two:

Risk Analysis (Required)

‘Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity’ as provided for in § 164.308(a)(1)(ii)(A)

Covered Entities’ Risk Analysis is implemented by the policies and policy review as well as our security infrastructure. Known vulnerabilities should be identified in the infrastructure, policies should be revised, and technology updates or replacements should be performed to mitigate risks.

Risk Management (Required)

‘“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Covered Entities’ Risk Management should be implemented by the policies and policy review, as well as in security infrastructure.

II. Russian hacking associated vulnerabilities

On April 15, 2021 the U.S. National Security Administration published known vulnerabilities that impact U.S. and Allied networks.

NSA states that users of these products should mitigate against the following known vulnerabilities including two VPNs

  • CVE-2018-13379 Fortinet FortiGate VPN.
  • CVE-2019-9670 Synacor Zimbra Collaboration Suite.
  • CVE-2019-11510 Pulse Secure Pulse Connect Secure VPN.
  • CVE-2019-19781 Citrix Application Delivery Controller and Gateway.

III. Chinese hacking associated vulnerabilities

CVE NumberVulnerability DescriptionPrior NSA Cybersecurity Guidance
(Some focused on other actors)
CVE-2019-11510In Pulse Secure VPNs,® 7 an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords.CSA – Mitigating Recent VPN Vulnerabilities U/OO/196888-19
CSA – Advisory - APT29 target COVID-19 research organizations U/OO/152680-20
Affects: Pulse Connect Secure® (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4. [1]
1 T1190 and T1133 are MITRE® ATT&CK® techniques. MITRE and ATT&CK are registered trademarks of The MITRE Corporation. 2 Refer to CSI – Update and Upgrade Software Immediately U/OO/181147-19
3 Refer to CSI – Perform Out-of-Band Network Management U/OO/169570-20
4 Refer to ORN – Outdated Software and Protocols Continue to Result in Endpoint and Network Compromise U/OO/802041-16 5 Refer to CSI – Segment Networks and Deploy Application-Aware Defenses U/OO/184967-19
6 Refer to CSI – Continuously Hunt for Network Intrusions U/OO/181860-19
7 Pulse Secure VPN® is a registered trademark of Pulse Secure, LLC.
Additional Mitigations: Note that patching does not address credentials which may have been lost prior to patches being applied. NSA discourages the use of proprietary SSLVPN/TLSVPN protocols, which are not compliant with CNSS policy. Transition SSLVPN/TLSVPN deployments to either IETF standard-conformant TLS for single application use cases, or to IKE/IPsec VPNs, preferably using one of the evaluated TLS software applications or IPSec VPN gateways/clients listed on the National Information
Assurance Partnership (NIAP) Product Compliant List (PCL).
CVE-2020-5902In F5 BIG-IP® 8 proxy / load balancer devices, the Traffic Management User Interface (TMUI) - also referred to as the Configuration utility - has a Remote Code Execution (RCE) vulnerability in undisclosed pages.CSI – Harden Network Devices U/OO/171339-16
CSI – Perform Out-of-Band Network Management U/OO/169570-20
Affects: F5 BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1. [2]
Additional Mitigations: By default, the TMUI is accessible via the management interface on both the external and internal interface.
Best practice is to disable the external interface and configure an out-of-band management network. NSA released guidance for this in the Harden Network Devices CSI (U/OO/171339-16) and the Perform Out-of-Band Network Management CSI (U/OO/169570-20).
CVE-2019-19781An issue was discovered in Citrix® 9 Application Delivery Controller (ADC) and Gateway. They allow directory traversal, which can lead to remote code execution without credentials.CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
CSA – Advisory - APT29 target COVID-19 research organizations U/OO/152680-20
CSA – Mitigate CVE-2019-19781 U/OO/103100-20
Affects: Citrix ADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN
WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b. [3]
CVE-2020-8193 CVE-2020-8195 CVE-2020-8196Improper access control and input validation, in Citrix® ADC and Citrix® Gateway and Citrix® SDWAN WAN-OP, allows unauthenticated access to certain URL endpoints
and information disclosure to low-privileged users.
CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
Affects: Citrix ADC and Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18, ADC FIPS versions
before 12.1-55.179 and SD-WAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7. [4]
CVE-2019-0708A remote code execution vulnerability exists within Remote Desktop Services®10 when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.CSA – Patch Remote Desktop Services on Legacy Versions of Windows U/OO/152674-19
ORN – Outdated Software and Protocols
Continue to Result in Endpoint and Network Compromise U/OO/802041-16
Affects: Microsoft Windows®11 XP - 7, Microsoft Windows Server®12 2003 - 2008.
Additional Mitigations: Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used by the Remote Desktop Protocol (RDP) and will block attempts to establish a connection. Disable Remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
Enable Network Level Authentication. With NLA enabled, attackers would first have to authenticate to RDS in order to successfully exploit the vulnerability. NLA is available on the Windows® 7, Windows Server® 2008 and Windows Server® 2008 R2 operating
systems.
CVE-2020-15505A remote code execution vulnerability in the
MobileIron®13 mobile device management (MDM)
CSI – Update and Upgrade Software
Immediately U/OO/181147-19
8 F5 BIG-IP® is a registered trademark of F5 Networks, Inc. 9 Citrix® is a registered trademark of Citrix Systems, Inc.
10 Remote Desktop Services® is a registered trademark of Microsoft Corporation in the United States and/or other countries. 11 Windows OS® is a registered trademark of Microsoft Corporation in the United States and/or other countries.
12 Windows Server® is a registered trademark of Microsoft Corporation in the United States and/or other countries.
13 MobileIron® is a registered trademark of MobileIron, Inc.
software that allows remote attackers to execute
arbitrary code via unspecified vectors.
Affects: MobileIron® Core and Connector versions 10.6 and earlier, and Sentry versions 9.8 and earlier. [5]
CVE-2020-1350A remote code execution vulnerability exists in Windows® Domain Name System servers when they fail
to properly handle requests.
CSA – Patch Critical Vulnerability in Windows Servers® using DNS Server Role
U/OO/152726-20
Affects: Microsoft Windows Server® 2008 - 2019
Additional Mitigations: Keep system and product updated and patched. In the event that an update cannot be applied immediately, the following workaround will prevent the vulnerability from being exploited, per Microsoft’s® recommendation. The workaround configures Windows® DNS servers to restrict the size of acceptable DNS message packets over TCP to 65,280 bytes (0xFF00).
Applying the workaround requires a restart of the DNS service. Apply the patch as soon as possible and remove the workaround once the patch is applied.
Launch an elevated PowerShell prompt:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters -Name TcpReceivePacketSize -Type DWord -Value 0xFF00
CVE-2020-1472An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon
Elevation of Privilege Vulnerability'.
CSI – Update and Upgrade Software Immediately U/OO/181147-19
Affects: Microsoft Windows Server® 2008 - 2019
Additional Mitigations: Install the patch and implement the additional instructions found in Microsoft article KB4557222.
CVE-2019-1040A tampering vulnerability exists in Microsoft Windows® when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.CSI – Update and Upgrade Software Immediately U/OO/181147-19
ORN – Outdated Software and Protocols
Continue to Result in Endpoint and Network Compromise U/OO/802041-16
Affects: Microsoft Windows® 7 - 10, Microsoft Windows Server® 2008 - 2019.
Additional Mitigations: Limit the use of NTLM as much as possible and stop the use of NTLMv1. [6] [7]
CVE-2018-6789Sending a handcrafted message to Exim mail transfer agent may cause a buffer overflow. This can be used to
execute code remotely.
CSI – Update and Upgrade Software Immediately U/OO/181147-19
Affects: Exim before 4.90.1. [8]
CVE-2020-0688A Microsoft Exchange® validation key remote code
execution vulnerability exists when the software fails to properly handle objects in memory.
CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
Affects: Microsoft Exchange Server® 2010 Service Pack 3 Update Rollup 29 and earlier, 2013 Cumulative Update 22 and earlier,
2016 Cumulative Update 13 and earlier and 2019 Cumulative Update 2 and earlier. [9]
CVE-2018-4939Certain Adobe ColdFusion®14 versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to
arbitrary code execution.
CSI – Update and Upgrade Software Immediately U/OO/181147-19
Affects: Adobe ColdFusion (2016 release) Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions. [10]
CVE-2015-4852The WLS Security component in Oracle WebLogic®15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java®16 object.CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
Affects: Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0. [11]
CVE-2020-2555A vulnerability exists in the Oracle® Coherence product
of Oracle Fusion® Middleware. This easily exploitable
CSI – Detect and Prevent Web Shell
Malware U/OO/134094-20
14 Adobe ColdFusion® is a registered trademark of Adobe Systems, Inc. 15 Oracle WebLogic® is a registered trademark of Oracle Corporation.
16 Java® is a registered trademark of Oracle Corporation.
vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle®
Coherence.
Affects: Oracle Coherence 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0. [12]
CVE-2019-3396The Widget Connector macro in Atlassian Confluence®17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence® Server or Data Center instance via server-side template injection.CSA – Patch Critical Vulnerability In Atlassian Confluence
CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
Affects: Atlassian Confluence before 6.6.12, 6.7.0 to before 6.12.3, 6.13.0 to before 6.13.3, and 6.14.0 to before 6.14.2. [13]
CVE-2019-11580Attackers who can send requests to an Atlassian® Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits
remote code execution.
CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
Affects: Atlassian Crowd from 2.1.0 to before 3.0.5, 3.1.0 to before 3.1.6, 3.2.0 to before 3.2.8, 3.3.0 to before 3.3.5, and 3.4.0 to
before 3.4.4. [14]
CVE-2020-10189Zoho ManageEngine®18 Desktop Central allows remote
code execution because of deserialization of untrusted data.
CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
Affects: Zoho ManageEngine Desktop Central before 10.0.479. [15]
CVE-2019-18935Progress Telerik®19 UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in
remote code execution.
CSI – Detect and Prevent Web Shell Malware U/OO/134094-20
Affects: Progress Telerik UI for ASP.NET AJAX through 2019.3.1023. [16]
Additional Mitigations: NSA concurs with Tenable’s®20 recommendations: “This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent
exploitation.)” [16]
CVE-2020-0601A spoofing vulnerability exists in the way Windows® CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it
appear that the file was from a trusted, legitimate source.
CSA – Patch Critical Cryptographic Vulnerability in Microsoft Windows® Clients and Servers U/OO/104201-20
Affects: Microsoft Windows® 10, Server® 2016 - 2019.
Additional Mitigations: In addition, the Windows® certificate utility (certutil) and the OpenSSL®21 utility can be used to inspect a certificate for explicitly defined or non-standard elliptic curve parameters if a suspect certificate is encountered.
CVE-2019-0803An elevation of privilege vulnerability exists in Windows®
when the Win32k component fails to properly handle objects in memory.
CSI – Update and Upgrade Software Immediately U/OO/181147-19
Affects: Microsoft Windows® 7 - 10, Microsoft Windows Server® 2008 - 2019.
CVE-2017-6327The Symantec®22 Messaging Gateway can encounter a
remote code execution issue.
CSI – Update and Upgrade Software
Immediately U/OO/181147-19
Affects: Symantec Messaging Gateway before 10.6.3-267. [17]
Additional Mitigations: Run under the principle of least privilege, where possible, to limit the impact of potential exploit.
CVE-2020-3118A vulnerability in the Cisco® Discovery Protocol implementation for Cisco IOS®23 XR Software could allowCSI – Harden Network Devices U/OO/171339-16
17 Atlassian Confluence® is a registered trademark of Atlassian, Inc. 18 ManageEngine® is a registered trademark of Zoho Corporation. 19 Telerik UI® is a registered trademark of Telerik AD.
20 Tenable® is a registered trademark of Tenable, Inc.
21 OpenSSL® is a registered trademark of OpenSSL Software Foundation. 22 Symantec® is a registered trademark of Broadcom Corporation.
23 Cisco IOS® is a registered trademark of Cisco Systems, Inc. in the United States and other countries.
an unauthenticated, adjacent attacker to execute
arbitrary code or cause a reload on an affected device.
Affects: Cisco IOS XR 5.2.5, 6.5.2, 6.5.3, 6.6.25, 7.0.1. [18]
Additional Mitigations: On many devices, Cisco® Discovery Protocol is enabled by default. NSA recommends disabling discovery
protocols, per our Harden Network Devices CSI. To determine if CDP is enabled, use the “show running-config | include cdp” command.
CVE-2020-8515DrayTek Vigor®24 devices allow remote code execution as
root (without authentication) via shell metacharacters.
CSI – Update and Upgrade Software
Immediately U/OO/181147-19
Affects: Vigor2960® 1.3.1_Beta, Vigor3900® 1.4.4_Beta, and Vigor300B® 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices. [19]
Additional Mitigations: After patching the system, check to make sure that no additional admin users or remote access profiles have been added. Verify that no changes have been made to Access Control Lists.
NSA is aware that National Security Systems, Defense Industrial Base, and Department of Defense networks are consistently scanned, targeted, and exploited by Chinese state-sponsored cyber actors. NSA recommends that critical system owners consider these actions a priority, in order to mitigate the loss of sensitive information that could impact
U.S. policies, strategies, plans, and competitive advantage. Additionally, due to the various systems and networks that could be impacted by the information in this product outside of these sectors, NSA recommends that the CVEs above be prioritized for action by all network defenders.

Related Posts

HIPAA Expert Witness

Healthcare Cyber Security Standards

Electronic Health Record Forensic Expert

Works Cited

 See https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF  

See https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

See also

Disclaimer of Endorsement

The information and opinions contained in this document are provided “as is” and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of NSA’s cybersecurity missions, including its responsibilities to identify and disseminate threats to National Security Systems, Department of Defense, and Defense Industrial Base information systems, and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Michael F. Arrigo

Michael Arrigo brings four decades of experience in the software, financial services, and healthcare industries. In 2000, Mr. Arrigo founded No World Borders, a healthcare data, regulations, and economics firm with clients in the pharmaceutical, medical device, hospital, surgical center, physician group, diagnostic imaging, genetic testing, health IT, and health insurance markets. His expertise spans the federal health programs Medicare and Medicaid and private insurance. He advises Medicare Advantage Organizations who provide health insurance under Part C of the Medicare Act. Mr. Arrigo serves as an expert witness regarding medical coding and medical billing, fraud damages, as well as electronic health record software for the U.S. Department of Justice. He has valued well over $1 billion in medical billings in personal injury liens, medical malpractice, insurance fraud cases. The U.S. Court of Appeals considered Mr. Arrigo's opinion regarding loss amounts, vacating, and remanding sentencing in a fraud case. Mr. Arrigo provides expertise in the Medicare Secondary Payer Act, Medicare LCDs, anti-trust litigation, medical intellectual property and trade secrets, HIPAA privacy, health care electronic claim data Standards, physician compensation, Anti-Kickback Statute, Stark law, the Affordable Care Act, False Claims Act, and the ARRA HITECH Act. Arrigo advises investors on merger and acquisition (M&A) diligence in the healthcare industry on transactions cumulatively valued at over $1 billion. Mr. Arrigo spent over ten years in Silicon Valley software firms in roles from Product Manager to CEO. He was product manager for a leading-edge database technology joint venture that became commercialized as Microsoft SQL Server, Vice President of Marketing for a software company when it grew from under $2 million in revenue to a $50 million acquisition by a company now merged into Cincom Systems, hired by private equity investors to serve as Vice President of Marketing for a secure email software company until its acquisition and multi $million investor exit by a company now merged into Axway Software SA (Euronext: AXW.PA), and CEO of one of the first cloud-based billing software companies, licensing its technology to Citrix Systems (NASDAQ: CTXS). Later, before entering the healthcare industry, he joined Fortune 500 company Fidelity National Financial (NYSE: FNF) as a Vice President, overseeing eCommerce solutions for the mortgage banking industry. While serving as a Vice President at Fortune 500 company First American Financial (NYSE: FAF), he oversaw eCommerce and regulatory compliance technology initiatives for top ten mortgage banks and led the Sarbanes Oxley Act Section 302 internal controls IT audit for the company, supporting Section 404 of the Sarbanes Oxley Act. Mr. Arrigo earned his Bachelor of Science in Business Administration from the University of Southern California. Before that, he studied computer science, statistics, and economics at the University of California, Irvine. His post-graduate studies include biomedical ethics at Harvard Medical School, biomedical informatics at Stanford Medical School, blockchain and crypto economics at the Massachusetts Institute of Technology, and training as a Certified Professional Medical Auditor (CPMA). Mr. Arrigo is qualified to serve as a director due to his experience in healthcare data, regulations, and economics, his leadership roles in software and financial services public companies, and his healthcare M&A diligence and public company regulatory experience. Mr. Arrigo is quoted in The Wall Street Journal, Fortune Magazine, Kaiser Health News, Consumer Affairs, National Public Radio (NPR), NBC News Houston, USA Today / Milwaukee Journal Sentinel, Medical Economics, Capitol ForumThe Daily Beast, the Lund Report, Inside Higher Ed, New England Psychologist, and other press and media outlets. He authored a peer-reviewed article regarding clinical documentation quality to support accurate medical coding, billing, and good patient care, published by Healthcare Financial Management Association (HFMA) and is published in Healthcare IT News.

Leave a Reply